---
# =============================================================================
# site.yml — Master Playbook for the Timmy Foundation Fleet
# =============================================================================
# This is the ONE playbook that defines the entire fleet state.
# Run this and every machine converges to golden state.
#
# Usage:
#   ansible-playbook -i inventory/hosts.yml playbooks/site.yml
#   ansible-playbook -i inventory/hosts.yml playbooks/site.yml --limit bezalel
#   ansible-playbook -i inventory/hosts.yml playbooks/site.yml --check --diff
# =============================================================================

- name: "Timmy Foundation Fleet — Full Convergence"
  hosts: wizards
  become: true

  pre_tasks:
    - name: "Validate no banned providers in golden state"
      assert:
        that:
          - "item.name not in banned_providers"
        fail_msg: "BANNED PROVIDER DETECTED: {{ item.name }} — Anthropic is permanently banned."
        quiet: true
      loop: "{{ golden_state_providers }}"
      tags: [always]

    - name: "Display target wizard"
      debug:
        msg: "Deploying to {{ wizard_name }} ({{ wizard_role }}) on {{ ansible_host }}"
      tags: [always]

  roles:
    - role: wizard_base
      tags: [base, setup]

    - role: golden_state
      tags: [golden, config]

    - role: deadman_switch
      tags: [deadman, recovery]

    - role: request_log
      tags: [telemetry, logging]

    - role: cron_manager
      tags: [cron, schedule]

  post_tasks:
    - name: "Final validation — scan for banned providers"
      shell: |
        grep -ri 'anthropic\|claude-sonnet\|claude-opus\|claude-haiku' \
          {{ hermes_home }}/config.yaml \
          {{ wizard_home }}/config.yaml \
          {{ thin_config_path }} 2>/dev/null || true
      register: banned_scan
      changed_when: false
      tags: [validation]

    - name: "FAIL if banned providers found in deployed config"
      fail:
        msg: |
          BANNED PROVIDER DETECTED IN DEPLOYED CONFIG:
          {{ banned_scan.stdout }}
          Anthropic is permanently banned. Fix the config and re-deploy.
      when: banned_scan.stdout | length > 0
      tags: [validation]

    - name: "Deployment complete"
      debug:
        msg: "{{ wizard_name }} converged to golden state. Provider chain: {{ golden_state_providers | map(attribute='name') | list | join(' → ') }}"
      tags: [always]